• GetAdmin - tool that is used to escalate privileges on an Windows system
• CheckAdmin - see who is a member of the Administrator group in your LAN
• Red Button - remotely logs onto target machine without authentication using NetBIOS ports 137, 138, and 139
• Winfo - remotely retrieve a list of user accounts, workstation trust accounts, interdomain trust accounts, server trust accounts, and shares
• WinFingerPrint - enumerate OS, users, groups, SIDs, password policies, services, service packs and hotfixes, NetBIOS shares, transports, sessions, disks, security event log, and time of day utilizing NT Domain (Net*), Active Directory, or WMI APIs.
• Passwords
  • L0phtcrack - free version uses dictionary; brute force version requires payment
  • NTSweep - free version; tries changing passwords over the network
  • NTCrack
  • PWDump
  • Advanced NT Security Explorer
  • Obtaining passwords
    • Sniffing the passwords off the network - Ethereal - free network protocol analyzer
    • Booting into another OS (e.g. Linux or DOS) and copying the SAM file NTFSDOS or LINNT
    • Using LINNT to obtain administrator access (Only works on a pre-sp3 computer WITHOUT syskey installed)
    • Obtaining a copy of the SAM file from c:\winnt\repair or a backup directory
    • Obtaining a copy from a tape or emergency repair disk
    • Boot with another OS and change the passwords (Offline NT Password and Registry Editor)
• Scan ports - NetBrute Scanner; also scans for open shares

Please mail any comments about this page to summers_wayne@ColumbusState.edu